Re: [Tails-dev] Create random seed at installation time with Tails Installer
Hi, kurono: > I have made a first draft solution for this, I have updated the ticket > accordingly: > https://labs.riseup.net/code/issues/11897 Thanks for working on this! I've assigned this ticket to one of the two people (bertagaz, segfault) who committed to work on this during our last summit. Once your team agrees on the proposed changes please reassign to me for QA :) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Create random seed at installation time with Tails Installer
kurono: > ok great. I am still trying to get an idea of how to do this, but I > think we could create a script in > config/chroot_local-includes/lib/live/config/ where the early boot stuff > is done. That script would copy the random-seed from the FAT filesystem, > to the actual > /var/lib/systemd/random-seed file. An initramfs script run after live-boot has set up the root FS stack (SquashFS + aufs) might be better in the sense that it'll run *really* early. But whatever, as long as we do it before systemd starts the service that will use this seed :) > AFAIK, it only has to be updated when shutting down the machine. > The idea is that this file can not be equal for all the Tails > installations and neither all the Tails booting processes. > The idea with the installer was to solve the first problem, but maybe we > also can solve the second. I see. So we'll need to remount the FAT filesystem read-write on shutdown. The safest and most robust way might be to do it after we've returned to the shutdown initramfs, see the new memory wiping design doc for details. Anyway, that's for a later iteration :) >> * What's the plan for upgrades of the Tails USB stick? > If the upgrade is done with the installer, I guess the process is the > same. If the upgrade is done internally by Tails, it depends if we > manage to implement a solution for the second problem. OK. > Regarding the blueprint I can use the same we already had. > https://tails.boum.org/blueprint/randomness_seeding/ > Or should I use other? I didn't follow this much so I'll let you discuss this with your team-mates. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Create random seed at installation time with Tails Installer
On 07/22/2017 03:13 PM, intrigeri wrote: > kurono: >> * The natural place to put it is in the usual seed file, inside the >> Tails file system (filesystem.squashfs). But this would imply to extract >> the image, change the file, and create a new image, which would be a lot >> of extra work. Another disadvantage is that it makes any further file >> integrity checking impossible. > > Ouch, no, let's not do that. > ok :) >> * The other option is to locate it outside of the tails file system, > > You mean in the FAT filesystem that Tails Installer creates, right? > If yes, then this seems like the best option. Another option would be > somewhere in the GPT (IIRC someone researched that). > Yes I meant the FAT filesystem. According to this: https://labs.riseup.net/code/issues/7675 The conclusion was that the GPT space is too small and "storing it on the FAT32 filesystem is certainly easier to do and less prone to accidents." >> let say the "binary" part, and link the random init script to this >> file, only if we are creating it by the installer. > > I guess checking for this file's existence is enough. > ok. >> I don't know if this last option is even possible. >> Are there already some examples of it? Maybe the syslinux, etc? > > Yes, Tails Installer already creates / renames / mangles files in the > FAT filesystem after extracting the content of the ISO filesystem. > ok great. I am still trying to get an idea of how to do this, but I think we could create a script in config/chroot_local-includes/lib/live/config/ where the early boot stuff is done. That script would copy the random-seed from the FAT filesystem, to the actual /var/lib/systemd/random-seed file. > Just curious: > > * When do we update the content of this file? AFAIK, it only has to be updated when shutting down the machine. The idea is that this file can not be equal for all the Tails installations and neither all the Tails booting processes. The idea with the installer was to solve the first problem, but maybe we also can solve the second. > * What's the plan for upgrades of the Tails USB stick? If the upgrade is done with the installer, I guess the process is the same. If the upgrade is done internally by Tails, it depends if we manage to implement a solution for the second problem. Regarding the blueprint I can use the same we already had. https://tails.boum.org/blueprint/randomness_seeding/ Or should I use other? cheers, kurono > > Cheers, > signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Create random seed at installation time with Tails Installer
DrWhax: > Maybe this requires a blueprint? :) We have one already: https://tails.boum.org/blueprint/randomness_seeding/ ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Create random seed at installation time with Tails Installer
intrigeri: > kurono: >> * The natural place to put it is in the usual seed file, inside the >> Tails file system (filesystem.squashfs). But this would imply to extract >> the image, change the file, and create a new image, which would be a lot >> of extra work. Another disadvantage is that it makes any further file >> integrity checking impossible. > > Ouch, no, let's not do that. > >> * The other option is to locate it outside of the tails file system, > > You mean in the FAT filesystem that Tails Installer creates, right? > If yes, then this seems like the best option. Another option would be > somewhere in the GPT (IIRC someone researched that). > >> let say the "binary" part, and link the random init script to this >> file, only if we are creating it by the installer. > > I guess checking for this file's existence is enough. > >> I don't know if this last option is even possible. >> Are there already some examples of it? Maybe the syslinux, etc? > > Yes, Tails Installer already creates / renames / mangles files in the > FAT filesystem after extracting the content of the ISO filesystem. > > Just curious: > > * When do we update the content of this file? > * What's the plan for upgrades of the Tails USB stick? > > Cheers, > Maybe this requires a blueprint? :) Thanks for working on this kurono! Cheers, DrWhax ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Create random seed at installation time with Tails Installer
kurono: > * The natural place to put it is in the usual seed file, inside the > Tails file system (filesystem.squashfs). But this would imply to extract > the image, change the file, and create a new image, which would be a lot > of extra work. Another disadvantage is that it makes any further file > integrity checking impossible. Ouch, no, let's not do that. > * The other option is to locate it outside of the tails file system, You mean in the FAT filesystem that Tails Installer creates, right? If yes, then this seems like the best option. Another option would be somewhere in the GPT (IIRC someone researched that). > let say the "binary" part, and link the random init script to this > file, only if we are creating it by the installer. I guess checking for this file's existence is enough. > I don't know if this last option is even possible. > Are there already some examples of it? Maybe the syslinux, etc? Yes, Tails Installer already creates / renames / mangles files in the FAT filesystem after extracting the content of the ISO filesystem. Just curious: * When do we update the content of this file? * What's the plan for upgrades of the Tails USB stick? Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Create random seed at installation time with Tails Installer
Hi, I have been analyzing how to implement this: https://labs.riseup.net/code/issues/11897 and the difficult point here is where to locate the seed file on installation time. I see two options: * The natural place to put it is in the usual seed file, inside the Tails file system (filesystem.squashfs). But this would imply to extract the image, change the file, and create a new image, which would be a lot of extra work. Another disadvantage is that it makes any further file integrity checking impossible. * The other option is to locate it outside of the tails file system, let say the "binary" part, and link the random init script to this file, only if we are creating it by the installer. I don't know if this last option is even possible. Are there already some examples of it? Maybe the syslinux, etc? cheers, kurono signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
